Potential Fraud Opportunity -- Synchrony Bank

[Tri-Tip]

Curious if anyone else here uses Synchrony Bank?

Their online login always used to send me a one-time password when I attempted to log in, and of course, it sent it to the number on file.

I tried to login yesterday (used the url from the statement), and now it's asking me to enter the phone number to use to send the one-time password. That doesn't make sense to me, because they are supposed to send it to my phone number to validate my account, not to any number I give them.

I held off on entering the phone number, called Customer Service (phone number from the statement) and they didn't seem to think it was an issue.

Am I being over-cautious? There are so many forms of fraud these days, I don't think I can be too careful.

[TC94]

Quote:

Originally Posted by Tri-Tip

Curious if anyone else here uses Synchrony Bank?

Their online login always used to send me a one-time password when I attempted to log in, and of course, it sent it to the number on file.

I tried to login yesterday (used the url from the statement), and now it's asking me to enter the phone number to use to send the one-time password. That doesn't make sense to me, because they are supposed to send it to my phone number to validate my account, not to any number I give them.

I held off on entering the phone number, called Customer Service (phone number from the statement) and they didn't seem to think it was an issue.

Am I being over-cautious? There are so many forms of fraud these days, I don't think I can be too careful.

Sometimes that can be an extra security layer. If a number is entered that doesn’t match the one on file, nothing should happen.

It’s a way for banks to periodically check that the number on file is correct. That’s my best guess here, FWIW.

[watchtabs]

I would be cautious

[msnow]

I’m a retired IT security exec and it is fishy to me too. They should already have your cell # in the database. Asking for you to enter the last 4 numbers is done sometimes as confirmation but letting a potential hacker put in his own number to access your account is not something any company would do. Are you sure you are on the legitimate web site and is it https?


Sent from my iPad using Tapatalk

[GradyPhilpott]

I wouldn't do it.

[77T]

Do you mean a one-time auth code after you have entered a valid userID and Password? (Also known as two-factor authentication)


Sent from my iPhone using Tapatalk Pro

[Tri-Tip]

Quote:

Originally Posted by 77T

Do you mean a one-time auth code after you have entered a valid userID and Password? (Also known as two-factor authentication)


Sent from my iPhone using Tapatalk Pro

Yes. If it's a phony site, they already have my Login and Password. All they need is to be able to clone my cell and they can get into my real account.

[77T]

Yes - that is a possibility.

If you’re concerned, perhaps log-in directly from your web browser. Be sure https: is in the web url.

Then change your password online.

That should give you some peace of mind.


Sent from my iPhone using Tapatalk Pro

[Tri-Tip]

Quote:

Originally Posted by msnow

I’m a retired IT security exec and it is fishy to me too. They should already have your cell # in the database. Asking for you to enter the last 4 numbers is done sometimes as confirmation but letting a potential hacker put in his own number to access your account is not something any company would do. Are you sure you are on the legitimate web site and is it https?


Sent from my iPad using Tapatalk

Yes, it's https, and if I use my correct User ID, but an incorrect password, I don't get past the login screen, so that means that they validated by password with my login. Of course, before I thought something was fishy, I attempted to login, so that combination (User ID and Password) could have been stored in the phony site and now being validated.

[Tri-Tip]

Quote:

Originally Posted by TC94

Sometimes that can be an extra security layer. If a number is entered that doesn’t match the one on file, nothing should happen.

It’s a way for banks to periodically check that the number on file is correct. That’s my best guess here, FWIW.

I tried using a different phone number and it would not accept it.

[Tri-Tip]

After verifying that the site would not send a Two-Factor Authentication Code to a number that was not associated with my account, I made the choice to enter my number and I received the code and logged in normally.

Changed my password and hope all is well, I'll keep my eye on it daily.

[JasoninDenver]

All two factor authentication tools I use block out all but the last two or four digits of the phone number I want it sent to. None ask for the whole number so I would definitely change user ID and Password.

[Calatrava r]

A lot of times it is a phony scam site posing as the bank. This bank is fine.

[msnow]

Quote:

Originally Posted by Tri-Tip

Yes, it's https, and if I use my correct User ID, but an incorrect password, I don't get past the login screen, so that means that they validated by password with my login. Of course, before I thought something was fishy, I attempted to login, so that combination (User ID and Password) could have been stored in the phony site and now being validated.

Ok, as you already know you need to call them, tell them what happened and have them help you reset your password. You should be fine wrt financials. Don’t worry they deal with this all the time.


Sent from my iPad using Tapatalk

[superdog]

Quote:

Originally Posted by watchtabs

I would be cautious

Exactly.

[hdrazor251]

I recommend using their phone app. I’ve never had an issue.

[REQUIEMnJADED4U]

Quote:

Originally Posted by hdrazor251

I recommend using their phone app. I’ve never had an issue.

+1
I too never had an issue on their app and never encountered what you did on their site that I can recall.

[Laszlo]

I would download their app, they must have one. Impossible to have a fake app on App Store. You’ll still probably have to authenticate via mobile phone (don’t use land line phone), or by email, a.k.a., two-factor authentication) as 77T mentioned above. Pretty common these days and good security

[omar10213245]

Quote:

Originally Posted by Tri-Tip

Curious if anyone else here uses Synchrony Bank?

Their online login always used to send me a one-time password when I attempted to log in, and of course, it sent it to the number on file.

I tried to login yesterday (used the url from the statement), and now it's asking me to enter the phone number to use to send the one-time password. That doesn't make sense to me, because they are supposed to send it to my phone number to validate my account, not to any number I give them.

I held off on entering the phone number, called Customer Service (phone number from the statement) and they didn't seem to think it was an issue.

Am I being over-cautious? There are so many forms of fraud these days, I don't think I can be too careful.

my James Free Jewelers charge card is through Synchrony, and I've never run into any issues with them.

[VictorGMT]

Quote:

Originally Posted by Laszlo

Impossible to have a fake app on App Store.

I knew what you meant on a Rolex forum, but far from universally true.

https://techviral.net/identify-fake-...le-play-store/

[Laszlo]

Quote:

Originally Posted by VictorGMT

I knew what you meant on a Rolex forum, but far from universally true.

https://techviral.net/identify-fake-...le-play-store/

:) I suppose it can happen but that is Google after all. I highly doubt much gets passed Apple. Their app approvals are really strict. But I’m sure it can happen regardless.

[Krash]

If I read this right, you used the URL from a statement, and the statement looks legitimate, right?

Basically, the URL and integrity of the statement is being questioned here…

So if a fraudster was able to recreate your statement, with account number, transactions, and all the correct data, then you’re already TOTALLY SCREWED. They have all the information they need for stealing your money and identity. There is no need for them to contact you or “phish” for your username and password. It would be stupid for them to do so.

This is why I think you’re okay. It sounds legit. Also it’s not uncommon for companies to change their security processes from time-to-time and ask for cell phone info again even if it’s already on file.

With all that said, NEVER EVER click on a strange or suspicious URL.

Btw, I’m a technology executive for a bank…so I do have expertise in this field.


Sent from my iPhone using Tapatalk

[brandrea]

Why are there so many bad people out there

Hope you get it sorted OP

[m j b]

Quote:

Originally Posted by Tri-Tip

After verifying that the site would not send a Two-Factor Authentication Code to a number that was not associated with my account, I made the choice to enter my number and I received the code and logged in normally.

Changed my password and hope all is well, I'll keep my eye on it daily.

You did good and I'm sure you're fine.

Everyone else though, take note of this and be careful out there!

Just recently my mother was almost taken in by a scam, but fortunately she called me first and I told her to stop. She nearly sent in $20K+ just because these scammers are getting more and more sophisticated and clever.

I also work in I/T and I have a good idea of how most of this stuff works. It's scary. I also have the office next to the guy in charge of our network and infrastructure security, and they run tests and scans and hire people to break into our system...

[Tri-Tip]

Quote:

Originally Posted by Krash

If I read this right, you used the URL from a statement, and the statement looks legitimate, right?

Basically, the URL and integrity of the statement is being questioned here…

So if a fraudster was able to recreate your statement, with account number, transactions, and all the correct data, then you’re already TOTALLY SCREWED. They have all the information they need for stealing your money and identity. There is no need for them to contact you or “phish” for your username and password. It would be stupid for them to do so.

This is why I think you’re okay. It sounds legit. Also it’s not uncommon for companies to change their security processes from time-to-time and ask for cell phone info again even if it’s already on file.

With all that said, NEVER EVER click on a strange or suspicious URL.

Btw, I’m a technology executive for a bank…so I do have expertise in this field.


Sent from my iPhone using Tapatalk

I used the URL (typed, not clicked on) from a current statement, and I had already verified that is the same URL that was on past statements going back several years, so the correctness of the URL was not in question. My concern was that the URL no longer pointed at the actual bank's website because I was promped to enter my phone number to receive the 2FA code. In the past, it was always just sent. This lead me to be concerned that if someone had my User ID and Password, they could pass the 2FA test with any phone.

To alleviate my fears, I typed in a phone number that did not match my cell phone and it was not accepted. This lead me to believe that the site was in fact not compromised in any way.

I am very security conscious myself, which is why I questioned when something changed.

I have a Yubikey, but unfortunately, not many sites utilize this technology yet.

[White Collar Boy]

I misunderstood the title, and thought this was a job listing for a white collar criminal.

[soyjer]

Quote:

Originally Posted by Tri-Tip

Curious if anyone else here uses Synchrony Bank?

Their online login always used to send me a one-time password when I attempted to log in, and of course, it sent it to the number on file.

I tried to login yesterday (used the url from the statement), and now it's asking me to enter the phone number to use to send the one-time password. That doesn't make sense to me, because they are supposed to send it to my phone number to validate my account, not to any number I give them.

I held off on entering the phone number, called Customer Service (phone number from the statement) and they didn't seem to think it was an issue.

Am I being over-cautious? There are so many forms of fraud these days, I don't think I can be too careful.

I used my girlfriend's phone number twice to log in successfully yesterday.
She's a beneficiary, and we live together, but that's it.
Synchrony has a bizarre way of choosing eligible phone numbers for 2FA. Before the current system, they provided a drop-down list with phone numbers they gleaned from credit companies, etc., most of them long ago disconnected and now belonging to random strangers.
I'm trying to find out from them why they don't just use the phone number(s) provided to them by the account owner(s).